Reputation: 75
AWS call Lambda inside VPC to another Lambda in another VPC
it is possible to call a lambda function that lives within a VPC from another lambda in another VPC.
I'm trying to do it with an AWS VPC Endpoint but I can't do it. It marks error 403. I am following these steps: https://aws.amazon.com/es/blogs/compute/introducing-amazon-api-gateway-private-endpoints/.
And https://cedrus.digital/aws-privatelink-with-api-gateway-and-lambda-functions/
I am not sure, if the VPC Endpoint should be created in the VPC where the lambda will be called or where it will receive the request.
Even, the API Gateway Resource Policies has put it like this:
{
"Statement": [
{
"Principal": "*",
"Action": [
"execute-api:Invoke"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
And the VPC endpoint policy to Full access.
Upvotes: 2
Views: 5989
Answers (3)
Reputation: 1049
Launch Lambda from Lambda thru API Gateway VPC Endpoint
Updated AWS walkthrough using API Gateway: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-apis.html
I followed these instructions and now I can launch one lambda from the other (both attached to the same VPC) using a post request in python. I did this because communicating over the internet was not an option for security compliance reasons:
requests.post(f'https://whatever.execute-api.us-east-2.amazonaws.com/v1/processor', json={'your_key': 'your val'})
notes:
- when creating vpc endpoint, the service name to look for is: com.amazonaws.region.execute-api
- make sure to heed the instructions about security group. Create a security group for your lambda function and add it as a source to the security group attached to the VPC endpoint:
- For Security group, select the security group to associate with the VPC endpoint network interfaces.
The security group you choose must be set to allow TCP Port 443 inbound HTTPS traffic from either an IP range in your VPC or another security group in your VPC.
- don't forget to add the policy: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-apis.html#apigateway-private-api-set-up-resource-policy
here's my very unrestrictive policy as an example:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-2:<your account id>:whatever/*",
"Condition": {
"StringNotEquals": {
"aws:sourceVpc": "<your VPC id>"
}
}
},
{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": "arn:aws:execute-api:us-east-2:<your account id>:whatever/*"
}
]
}
Upvotes: 0
Reputation: 8583
There are few ways that you can invoke a lambda from another lambda.
Lambda invokes other lambda directly
when you invoke a lambda(caller) from another lambda(callee) using aws-sdk's invoke function, as mentioned on a answer already, the lambda(caller) should have internet connectivity. because aws-sdk calls are by default made over the internet.
Therefore either the lambda should be deployed on a public subnet (not recommended) or you should have a Nat Gateway (or Nat instance is cheaper), so that the lambda can invoke the other lambda over the internet.
Lambda invokes the other lambda through Api Gateway
You don't even need to consider this option if the calling lambda has internet connectivity.
You can indeed create a private VPC endpoint for api gateway in the destination lambda end. Then the calling lambda can make a https call via the VPC endpoint's dns url.
For this to work, your VPC endpoint should be accessible from the other VPC from where you are going to make the http call.
therefore a vpc peering between the VPCs will make it possible. The good news is VPC endpoints are now accessible through vpc peering.
Hope this helps.
Upvotes: 4
Reputation: 269101
To invoke an AWS Lambda function via an API call, the calling entity must have access to the Internet. It doesn't matter whether the calling entity is in the same VPC, a different VPC, or even not in a VPC. All that matters is that the request can be sent to the AWS Lambda API endpoint.
If the calling Lambda function is in a VPC, make sure that it has access to the Internet. This typically requires:
- The Lambda function is in a private subnet
- There is a NAT Gateway in a public subnet
- The Route Table for the private subnet directs
0.0.0.0/0traffic to the NAT Gateway
Alternatively, if the calling Lambda function is not connected to a VPC, then it automatically receives access to the Internet.
It also does not matter to what the "called" Lambda function is connected (VPC or not). The control plane that activates this Lambda function is on the Internet, which is unrelated to where the Lambda function itself is connected.
Upvotes: 7
Related Questions
- Invoking a Lambda function from another Lambda Function Inside of a VPC
- AWS Lambda function can't invoke another Lambda function in the same VPC
- Is there a way that invoke a AWS Lambda function between different VPC?
- aws lambda cannot call webservice from another vpc
- AWS Lambda: Call another REST API outside VPC
- Invoke aws lambda from aws lambda in same vpc
- How to invoke AWS Lambda function in account B (this Lambda in VPC) from Lambda in account A (Lambda in VPC)
- Want to call AWS lambda in VPC to another AWS lambda without VPC in same region and account using JAVA 8
- Inter VPC internet access between lambdas
- Accessing ECS instances from AWS Lambda running in VPC